There is an increase in global scrutiny of how organisations store user data and the recent Cambridge Analytica’s misuse of Facebook user data, the Reserve Bank of India has proposed amendments to Payment and Settlement Systems Act 2017 for the domestic storage of payment systems data and the Committee headed by Justice B.N. Srikrishna submitted a Draft of Personal Data Protection Bill, 2018 to IT Minister Ravi Shankar Prasad. Adding to these local data storage requirements for digital payments and e-commerce sectors, Kris Gopalakrishnan Committee on Cloud Computing Policy also will be proposing in its draft that the data generated in India to be stored within the country.
It is in Government’s interest in protecting their citizens data against any misuse. The ground reality is that India has been way behind in adopting Data Sovereignty policy especially in view of the scale of our IT industry and the economy in general. While there are benefits of allowing data to flow freely between countries, the notion that data sovereignty restricts the cross-border data transfer is a “misconception”.
Data Sovereignty is a concept that the data are subject to laws within the nation it is collected. It focuses on the location where the data needs to be stored and compliance with the personal data protection requirements and rules governing data movement and placement. Data localisation does not limit the access to any global network nor does it reduce the ability of citizens and consumers to access and contribute to online resources and opportunities globally.
Countries such as Russia, Germany, France, Indonesia, Vietnam have mandated via their strict data sovereignty laws that their citizen’s data is to be stored on physical servers within the country’s physical borders. Certain United States federal agencies require their data be stored exclusively within the United States. Australia has clearly defined legal framework with its updated Australia Privacy Act on how the data should be stored and controlled. Europe’s General Data Protection Regulation (GDPR) also restrict organisations from transferring personal data that originated in Europe to any country with inadequate data protection laws.
The introduction of the Data Protection Bill and the impact of other global laws with stricter data sovereignty requirements, will drive the organisations to develop data centres in multiple regions in order to store data locally, and minimize the impact of new regulations. For example, United States’ Consolidated Audit Trail (CAT) reporting and European Union’s The Markets in Financial Instruments Directive (MiFID ii) require organisations to log financial transactions at granular level, which will necessitate fine synchronisation of internal clock system across multiple data centres.
While organisations will need to modernize their approach to data management, maintaining the right balance between control and accessibility, they need to also consider techniques for managing, monetizing and unlocking the value of information within their enterprise. By addressing the following data related areas – management and architecture, compliance to domestic and international regulations and data ownership, they will evolve into insight-driven organisations. While there will be long-term investments in data cataloging, integration, security and other areas, the organisations can create a dynamic data management construct.
Implementation of new data centres will give a boost to the IT industry as it will generate a booming demand for high-skilled IT professionals in information security, privacy, data centre, networking, telecommunications, etc. across all levels. Any associated services in mechanical, electronic engineering, construction, architecture, infrastructure, logistics, to name a few, that will be rendered to design, construct and manage these data centres will also result in revenue and employment generation. The cost of setting up data centres is far less than the revenue generated by the global companies in India.
India can be well positioned to become the data capital of Asia by setting up of large data centres in suitable sites across the country. Indian Government should accord data centres as strategic infrastructure status and ensure suitable benefits such as 5-year tax holidays, subsidised land acquisition cos and power consumption, one-window clearance under the Startup India program, manpower skilling scheme benefits are given to organisations developing data centres. As a result, India will be known as world’s key digital hubs, creating a digital ecosystem which facilitates and supports the needs of multinational companies across industries.
Data Sovereignty does not limit the adoption of cloud-based services, if the cloud providers are transparent of their security control capabilities and comply with the local laws. The high level of transparency will build trust and give confidence that their data is being protected and is in compliance with regulations.
The Ministry of Commerce and Industry should ensure that all trade deals after the passage of India’s Privacy Bill should incorporate an approved legal framework that will aim to strike balance between the right to privacy and the organisations that will access user’s personal data to sell their services. Privacy should be prioritised over free trade thereby making clear that India’s fundamental right to personal privacy cannot be negotiated during trade discussions. This practice has been followed by countries in EU-bloc, Australia, amongst others.
India has had investments by foreign organisations steadily every year and the future looks good. Data Sovereignty will not be a hindrance to such investment and work with the Indian Government in the compliance of the nation’s data privacy regulations.
Data localisation will attract investment, generate employment across multiple sectors, increase innovation, create competitive advantage of India as a digital hub, protect national autonomy and position India better in the Internet governance order.
Data has become the new oil of this century. Data colonisation by organisations such as Facebook, WhatsApp, whose user base has surpassed than in the United States, is a concern both from privacy as well as national security perspective. To protect the privacy of Indian citizens, it is imperative that Indian Parliament passes the Personal Data Protection Bill, 2018 within the next session, which will requires organisations to implement the data localisation strategy. India should not be subject to the rule of colonisation dominated by a handful of providers.